Implementing eventuality resolution

To implement the eventuality resolution rules ERES1 and ERES2, we will need to augment a first- order theorem prover with an implementation of theE-loop search algorithm defined in Section 3.4. Figure 4.9 shows the pseudocode for the implementation of this algorithm in our prover CTL-RP.

The procedure eres takes as input

1. a set T of determinate clauses, which we assume to be saturated under the step resolution rules SRES1 to SRES8 and the rewrite rules RW1 and RW2, and

2. anA-sometime clause orE-sometime clauseC.

As stated in Section 3.4, ifCis anA-sometime clauseQ⇒A3¬l, then the loop search algorithm considers all global clauses, A-step clauses, andE-step clauses in T, while if Cis anE-sometime clauseQ⇒Ehindi3¬l, then the loop search algorithm considers all global clauses,A-step clauses, and all E-step clauses with index ind in T. Lines 5 to 9 of our algorithm implement this case

distinction and store the set of clauses that needs to be considered in the setSOS. The main part of the algorithm, lines 12 to 25, consists of a loop in which we construct a sequence of formulae

H−1(x),H0(x),H1(x), . . . until one of the following three termination conditions is satisfied:

(a) if Hi(x) is equivalent to true, then we use the procedure eresolvent to return the resolvents forCand the loop formulatrue(lines 17 and 18);

(b) if Hi(x) is equivalent to false, then no loop can be found and we return the empty set of resolvents (lines 19 and 20);

(c) if Hi(x) is equivalent to Hi₋1(x), then we again use the procedure eresolvent to return the resolvents forCand the loop formulaHi(x) (line 21 and 22).

Lines 13 to 16 deal with the construction of the formulaHi(x) for the current indexi. Recall from Section 3.4 that to constructHi, we need to look for merged clausesAj ⇒(Bj∧l),Aj ⇒A#(Bj∧l)

orAj ⇒Ehindi#(Bj∧l) such thatBj ⇒Hi₋1(or, equivalently, A#Bj ⇒A#Hi₋1). To do so, we construct a set of goal clausesGoalswith each clause containing the literal¬Ql(app(s, x)), the first-

order representation ofA#¬l, and a disjunct from ¬Hi₋1(app(s, x)), the first-order representation ofA#¬_Hi−1. When trying to prove these goal clauses using the clauses inSOS, all newly derived

clauses of depth one or less would be the first-order representations of the Aj’s that we look for.

To make it easier to identify newly derived clauses, we add a literalls(x), where ls is a new unary predicate symbol and ls ≻ p, for all propositions p occurring in the augmented set aug(T) of T, to each of the goal clauses. As there are no negative occurrences ofls(x) in SOS, ls(x) occurs in all clauses derived from our goal clauses. In Figure 4.9, line 13 constructs the goal clauses, line 14 calls the resolution sos procedure to saturate SOS∪Goalsusing a set of support strategy which described in Figure 4.13, line 15 collects all newly derived clauses of depth one or less from the saturated set using the literalls(x) to identify newly derived clauses, and, finally, line 16 computes

Hi(x).

The following example illustrates how our implementation of the loop search algorithm works.

Example 4.2

Let the setT consist of the three SNFg_CTL clausesa⇒A#l,b⇒A#l, anda⇒Ehindi#aand we

are looking for a loop in¬l. The first-order representation of these clauses is given by (1) ¬Qa(x)∨Ql(app(s, x))

(2) ¬Qb(x)∨Ql(app(s, x))

(3) ¬Qa(x)∨Qa(app(sind, x))

The atom ordering we use is based on the precedencels ≻l≻a≻band a selection function which returns the empty set of negative literals for every clause, that is, no literals are selected in any clause.

In the following description of resolution derivations, [G] indicates a goal clause that has been added to T, [n, R, m] indicates a resolution inference involving the clauses labelled (n) and (m), and [n, C] indicates the condensation of the clause labelled (n).

During the first iteration of the main loop oferes, the set of goal clauses consists of the single clausels(x)∨ ¬Ql(app(s, x)) andresolution sos conducts the following inferences:

1 procedure eresolvent(C, Hi(x))

2 // C is a sometime clause Q⇒A3¬l or Q⇒Ehindi3¬l

3 // Hi(x) = ¬Vni=1Gi(x) is a loop formula

4 begin

5 if Hi(x) = true then

6 Gi(x) := false;

7 end if

8 if C is an A-sometime clause then

9 resolvents := {⌈¬Q⌉(x)∨ ¬Ql(x)∨Gi(x)|1≤i≤n} ∪ {¬Q_wA ¬l(x)∨ ¬Ql(app(s, x))∨Gi(x)σ|1≤i≤n, σ={x←app(s, x)}} ∪ {⌈¬Q⌉(x)∨ ¬Ql(x)∨QwA ¬l(x), ¬Q_wA ¬l(x)∨ ¬Ql(app(s, x))∨QwA¬l(app(s, x))};

10 else if C is an E-sometime clause then

11 resolvents := {⌈¬Q⌉(x)∨ ¬Ql(x)∨Gi(x)|1≤i≤n} ∪ {¬Qwind ¬l (x)∨ ¬Ql(app(sind, x))∨Gi(x)σ|1≤i≤n, σ={x←app(sind, x)}} ∪ {⌈¬Q⌉(x)∨ ¬Ql(x)∨Qwind ¬l (x), ¬Qwind

¬l (x)∨ ¬Ql(app(sind, x))∨Qw¬indl (app(sind, x))};

12 end if

13 return resolvents;

14 end

Figure 4.10: Theeresolvent procedure

[G] (4) ls(x)∨ ¬Ql(app(s, x))

[1, R, 4] (5) ls(x)∨ ¬Qa(x)

[2, R, 4] (6) ls(x)∨ ¬Qb(x)

Clauses (5) and (6) contribute to the construction ofH0(x) (see lines 15 and 16 of theeres) and we obtainH0(x) =Qa(x)∨Qb(x). AsH0(x) does not satisfy any of the three termination conditions,

the main loop oferes will be executed a second time. This time, we have two goal clauses, clauses (7) and (8) below: [G] (7) ls(x)∨ ¬Ql(app(s, x))∨ ¬Qa(app(s, x)) [G] (8) ls(x)∨ ¬Ql(app(s, x))∨ ¬Qb(app(s, x)) [1, R, 7] (9) ls(x)∨ ¬Qa(x)∨ ¬Qa(app(s, x)) [1, R, 8] (10) ls(x)∨ ¬Qa(x)∨ ¬Qb(app(s, x)) [2, R, 7] (11) ls(x)∨ ¬Qb(x)∨ ¬Qa(app(s, x)) [2, R, 8] (12) ls(x)∨ ¬Qb(x)∨ ¬Qb(app(s, x)) [3, R, 9] (13) ls(x)∨ ¬Qa(x)∨ ¬Qa(x) [13, C] (14) ls(x)∨ ¬Qa(x) [3, R, 11] (15) ls(x)∨ ¬Qb(x)∨ ¬Qa(x)

As the condensed clause (14) makes clause (13) redundant and clause (14) also subsumes clause (15), of all the clauses in the saturated set, only clause (14) contributes to the construction of

1 procedure resolution prover(N)

2 begin

3 Wo := ∅; Us := taut(sub(N));

4 while (Us6=∅ and ⊥ 6∈Us)

5 Given := choose(Us);

6 Us := Us\ {Given};

7 Wo := Wo∪ {Given};

8 New := res(Given,Wo)∪fac(Given);

9 New := taut(sub(New));

10 New := sub(sub(New,Wo),Us);

11 Wo := sub(Wo,New);

12 Us := sub(Us,New)∪New;

13 end

14 output();

15 end

Figure 4.11: A simple resolution prover [74]

conditions, and a third iteration of the main loop oferes is required. There is only one goal clause, clause (16). [G] (16) ls(x)∨ ¬Ql(app(s, x))∨ ¬Qa(app(s, x)) [1, R, 16] (17) ls(x)∨ ¬Qa(x)∨ ¬Qa(app(s, x)) [2, R, 16] (18) ls(x)∨ ¬Qb(x)∨ ¬Qa(app(s, x)) [3, R, 17] (19) ls(x)∨ ¬Qa(x)∨ ¬Qa(x) [19, C] (20) ls(x)∨ ¬Qa(x) [3, R, 18] (21) ls(x)∨ ¬Qa(x)∨ ¬Qb(x)

Again, the condensed clause (20) makes clause (19) redundant and clause (20) also subsumes clause (21). Only clause (20) remains to contribute to the construction ofH2(x). We obtainH2(x) =Qa(x)

which is equivalent toH1(x). Thus, the third termination condition oferes is satisfied (line 21) and theeresolvent procedure, shown in Figure 4.10, will return the appropriate resolvents.

We are now in the position to formulate the correspondence between derivations by R≻,S_CTL and derivations byR≻FOL,SFOL

FOL supplemented by theeresolvent procedure and to state the correctness of this approach to implementingR≻,S_CTL.

Let T be a set of SNFg_CTL clauses such that Tdet _{is the set of all determinate clauses in T}

and Tev _{is the set of all eventuality clauses in T. Let⌈T}det_{⌉denote the set {⌈Γ⌉ |Γ ∈ T}det_{} of}

first-order clauses representing the determinate clauses inTdet_.

Then aR≻,S_CTL-emulating derivation from T byR≻FOL,SFOL

FOL is a sequenceN0, N1, N2, . . .of sets of first-order clauses such thatN0=⌈Tdet⌉and for everyi,i≥0,

1. Ni+1 =Ni∪ {C} where C is the condensation of a clause derived by applying the ordered

resolution with selection rule ofR≻FOL,SFOL

FOL with an atom ordering≻FOLand a selection function

SFOL corresponding to≻andS, respectively, to premises inNi; or

AR≻,S_CTL-emulating refutation ofT byR≻FOL,SFOL

FOL is aR≻,SCTL-emulating derivationN0, N1, . . .fromT byR≻FOL,SFOL

FOL such that for some i≥0,Ni contains the empty clause.

Theorem 4.3 Let T be a set of SNFg_CTL clauses. Then T has a refutation by R≻,S_CTL iff there is a R≻,S_CTL-emulating refutation ofT by R≻FOL,SFOL

FOL .

Proof. LetT0, T1, . . . be a refutation of T =T0 byR≻,SCTL where we restrict applications of ERES1 and ERES2 to loop formulae that can be found by a CTL equivalent of our loop search algorithm. First, we establish that this restriction is still complete. Basically our loop search algorithmeres in Figure 4.9 is almost the same as the loop search algorithm in Section 3.4.3. The only difference is that we provide implementations for the following two tasks in the loop search algorithm in Section 3.4.3.

(1) Search inT for merged clauses of the formXj⇒A#Yj,Xj ⇒Ehindi#Yj, andXj⇒Yjsuch

that Yj ⇒l is provable in propositional logic.

(2) Search inT for merged clauses of the form Xj ⇒Yj,Xj ⇒A#Yj or Xj ⇒Ehindi#Yj such

that Yj ⇒l andYj ⇒Hiare provable in propositional logic.

Thus, we only need to prove the correctness of our implementation for those two tasks. We now give a number of useful definitions.

Using the algorithm eres, we essentially search for clauses inSOSto form such merged clauses. LetTlbe the set such that a clause Γ is inTliff⌈Γ⌉is inSOS.

If there exists a set ∆ of SNFgCTL clauses such that all clauses in ∆ can be merged into one merged clause, then we usem(∆) to denote this merged clause.

Let Q be a conjunction of literals. Then we use cond(Q) to denote a conjunction of literals

Vn

i=1pi such that (i) for every i,pi is in cond(Q) iffpi occurs in Qand (ii) for everyi, j,1≤i <

j≤n, pi6=pj. For example, ifQ=a∧b∧a, thencond(Q) =a∧b.

We consider the case for ERES2, i.e. allE-step clauses inThave the same indexind. Therefore, any subset ∆ of Tl has a merged clausem(∆). As to the proof for ERES1, it can be achieved in

an analogous way.

For task (1), we need to prove that

(3) for every clause G(x) in T2, there exists a set ∆ ⊆ Tl such that, for its merged clause

m(∆) = X ⇒ ∗Y, Y ⇒ l is provable and cond(X) = P, where⌈¬P⌉(x) = G(x) and ∗ is either empty or a temporal operator in the set {A#,Ehindi#}; and

(4) if there exists a set ∆ ⊆ Tl such that, for its merged clause m(∆) = X ⇒ ∗Y, Y ⇒ l is

provable, then there exists a clauseG(x) =⌈¬P⌉(x) inT2such that X ⇒P, i.e.⌈¬X⌉(x) is equivalent to G(x) or⌈¬X⌉(x) can be subsumed byG(x).

Firstly, we consider case (3). We know that, if a clause G(x) is inT2, then from the algorithm eres,⌈Γ1⌉is inT1, where Γ1=P∧ ¬ls⇒ ∗falseand⌈¬P⌉(x) =G(x). We also know thatls does not occur inSOS,⌈Γ2⌉(where Γ2=¬ls ⇒A#_¬l) is inGoalsandSOSis saturated. Therefore,⌈Γ1⌉

must be derived using⌈Γ2⌉and clauses inSOSin resolution sos. By Theorem 4.2, Γ1 also can be derived using Γ2 andTl. We know according to our step resolution rules,(5)the left-hand side of

the resolvent of an application of step resolution rules to two premisesP1⇒ ∗D1andP2⇒ ∗D2is cond(P1∧P2). Let ∆⊆T be the set consisting of the clauses involved in the derivation to derive Γ1=P∧ ¬ls⇒ ∗falseand letm(∆) =X ⇒ ∗Y. Then cond(X) =P. Since we know thatfalse

is derived, then by the soundness of our step resolution rule the set{Y} ∪ {¬l}is inconsistent, i.e.

Y ∧ ¬l⇒false. ConsequentlyY ⇒l.

Secondly, we prove case (4). Assumem(∆) isX ⇒ ∗Y.

• AssumeY is consistent. AsY ⇒l, the setWrof propositional clauses is unsatisfiable, where

Wr={B |A⇒A#B∈∆} ∪ {B|A⇒Ehindi#B∈∆} ∪ {B |true⇒B ∈∆} ∪ {¬l| ¬ls⇒

A#_¬l}. In Theorem 3.7, we have established that for an unsatisfiable set of propositional clauses like Wr, it has a refutation by propositional ordered resolution with selection using

the same ordering and selection function as forR≻,S_CTL. Furthermore, there is a derivation by the step resolution rules SRES1 to SRES3 and SRES6 to SRES8 such that Γ3=Q⇒ ∗false

can be derived and Qis the conjunction of literals. AsY is not unsatisfiable andY ⇒l, to derive Γ3, ¬ls ⇒ A#¬l must be involved. Since ls does not occur in Tl, ¬ls is in Q. Let

Q=¬ls∧P. Then Γ3 =P∧ ¬ls ⇒ ∗false. By Theorem 4.2 and the algorithmeres, ⌈Γ3⌉

is in T1. Therefore, there exists a clause G(x) in T2 such that G(x) =⌈¬P⌉(x). Let ∆′ be the set consisting of the clauses involved in the derivation to derive Γ3 =P ∧ ¬ls ⇒ ∗false

and let m(∆′_{) =X}′ _{⇒ ∗Y}′_{. As it is not necessary that all the clauses in ∆ occurring in}

that derivation, we obtain that ∆′_{⊆∆ and, consequently,X⇒X}′_{. From (5), we know that}

P =cond(X′), soX′⇒P. Thus,X ⇒P.

• Assume Y is inconsistent. In this case, even if the clause G(x) can not be found in T2, the algorithm eres is still correct, as the possible resolvents generated for ∆ can always be subsumed by some clauses inSOS. Assume ∆ = {A1 ⇒ ∗C1, . . . , An ⇒ ∗Cn} and Vn_i=1Ci

is inconsistent. We also assume that (i) loop search is applied for the E-sometime clause

Q⇒Ehindi3¬l; (ii) a loop can be found; and (iii) the formulaHibuilt in the last iteration of

the loop search isHi=D∨(Vn_i=1Ai). Then the resolvents generated for ∆ are the following

clauses:

Γ4=true⇒ ¬Q∨ ¬l∨Wn

i=1¬Ai Γ5=wind_¬l ⇒Ehindi#(¬l∨Wni=1¬Ai)

AsVn

i=1Ci is inconsistent andSOSis saturated, there exists a clause⌈Γ6⌉, where

Γ6=true⇒Wm

j=1¬A′j,

in SOSsuch that ∆′ _={A′

1⇒ ∗C1′, . . . , A′m⇒ ∗Cm′ } ⊆∆. Therefore,⌈Γ6⌉=

Wm

j=1⌈¬A′j⌉(x)

subsumes⌈Γ4⌉=⌈¬Q⌉(x)∨¬Ql(x)∨Wni=1⌈¬Ai⌉(x) and⌈Γ5⌉=¬Qwind

¬l (x)∨¬Ql(app(sind, x))∨

Wn

i=1⌈¬Ai⌉(app(sind, x)).

For task (ii), the proof is analogous. By the completeness of the loop search algorithm for CTL [15], our version of the loop search algorithm is complete as well.

Finally, we show by induction over theR≻,S_CTLrefutation that we can construct aR≻,S_CTL-emulating derivation N0, N1, . . . from T such that for every i, i ≥ 0, Ni = ⌈Tidet⌉. The base case, where

1 procedure main(ϕ)

2 // ϕ is a CTL formula

3 begin

4 N := transform to fol(transform to snf(simp(nnf(ϕ))));

5 New := {C|C is a determinate clause in N};

6 ST := {C|C is a sometime clause in N};

7 SOS := ∅;

8 do

9 New := reduction mrr(New);

10 SOS := resolution sos(SOS, New);

11 New := ∅;

12 if (⊥ 6∈SOS) then

13 foreach A-sometime clause and E-sometime clause C in ST

14 G := eres(SOS, C);

15 if (G 6= ∅) then

16 New := New ∪ G;

17 end if

18 end for

19 New := sub(New, SOS);

20 end if

21 while (⊥ 6∈SOS and New6=∅)

22 output();

23 end

Figure 4.12: The main procedure of CTL-RP

we consider T = T0 is trivial, as by definition N0 =⌈T0det⌉. For the induction step, we have to consider whether Ti+1 is derived from Ti by adding the resolvent of a step resolution inference

or the results of an application of an eventuality resolution rule. In the first case, Theorem 4.2 establishes the required correspondence. In the second case, since we use essentially the same loop search algorithm, the eresolvent procedure in Figure 4.10 will find a first-order representation of the same loop formula and return the first-order representation of the same result.

Therefore, if Ti contains a contradiction for somei ≥0, then Ni contains the empty clause as

Ni=⌈Tidet⌉. TheR ≻,S

CTL-emulating derivationN0, N1, . . .fromT that we have just constructed is a refutation.

The proof for the reverse direction of the theorem is analogous. ⊓⊔

In document Clausal reasoning for branching-time logics (Page 104-110)